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(54) Authentication method and arrangement 

(57) The invention relates to a method and arrange- 
ment, with which an operator can provide an authenti- 
cation service to another operator. The arrangement 
comprises means (304) for finding the IP address of an 
authentication operator, means (304, 306, 310) for for- 
warding the identification information to a network ele- 
ment of the authentication operator comprising a home 
location register, means (316, 320) for retrieving infor- 
mation required for subscriber authentication to an au- 



thentication server, means (310, 312, 314, 316) for 
transmitting an authentication number to a local net- 
work, means (170) for calculating an identification 
number for the subscriber, means (304, 306, 308, 310, 
312, 314) fortransmitting the identification numberto an 
authentication server that compares an identification 
number in its memory with the identification number 
transmitted from the local network and means (304, 306, 
310, 312, 314, 316) for transmitting an authentication 
approved or rejected message. 
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Description 

FIELD 

[0001 ] The invention relates to a method and arrange- 
ment with which an operator can provide an authentica- 
tion service to another operator. 

BACKGROUND 

[0002] In GSM systems (Global System for Mobile 
communications), the identification and billing of a radio 
network services subscriber is based on the use of a 
SIM (Subscriber Identity Module) card. When a sub- 
scriber line is opened, the subscriber is provided with a 
SIM card of the operator. The SIM card contains sub- 
scriber information and it can be used for security meas- 
ures, such as encryption of radio traffic and subscriber 
information and authentication, by which the access of 
unregistered users is prevented. The identification mod- 
ule of a UMTS subscriber is called USIM (UMTS sub- 
scriber identity module). 

[0003] Authentication, which refers to the authentica- 
tion of a subscriber, i.e. verification of rights or reliability, 
for instance, is typically performed in the GSM networks 
as follows: the network gives the subscriber a random 
number RAND that user equipment (or the SIM card in 
it) uses together with a secret parameter Ki to calculate 
with an encryption algorithm A3 a new number SRES to 
transmit to the network. The network also calculates 
SRES using the known Ki and the same algorithm and 
compares it with the one calculated in the user equip- 
ment. If theSRES numbers are the same, the subscriber 
is entitled to use the network. The procedure is the same 
in UMTS networks. 

[0004] Today, a local network, in which telephone traf- 
fic is switched over a radio path, is very often built in 
limited areas, such as offices or shopping centres. 
These networks are generally called wireless local area 
networks WLAN. An operator providing local network 
services to its customers has to obtain GSM or UMTS 
network elements, such as HLR (Home Location Reg- 
ister, required in authentication even though it does not 
need them otherwise. This increases the operator's 
costs. 

BRIEF DESCRIPTION 

[0005] It is an object of the invention to implement a 
method and an apparatus implementing the method in 
such a manner that a local network operator can obtain 
authentication services from another operator. This is 
achieved by the method for subscriber authentication. 
The method comprising: providing the subscriber with 
identification information that comprises information on 
the network of the subscriber, finding the IP address of 
an authentication operator corresponding to the identi- 
fication information for transmitting the identification in- 



formation and an authentication request to an authenti- 
cation network, forwarding the identification information 
to the network of the authentication operator, retrieving 
from a home location register the information required 

5 for subscriber authentication, transmitting an authenti- 
cation number to a local network, calculating an identi- 
fication number in the identity module of the subscriber, 
transmitting the identification number to an authentica- 
tion server of the authentication operator's network that 

10 compares an identification number in its memory with 
the identification number transmitted from the local net- 
work, transmitting an authentication approved or reject- 
ed message obtained as a result of the comparison to 
an access controller of the local network. 

15 [0006] The invention also relates to an arrangement 
for subscriber authentication. The arrangement com- 
prises means for finding the IP address of an authenti- 
cation operator corresponding to identification informa- 
tion for transmitting the identification information and an 

20 authentication request to an authentication network; the 
arrangement comprises means for forwarding the iden- 
tification information to the network of the authentication 
operator; the arrangement comprises means for retriev- 
ing information required for subscriber authentication to 

25 an authentication server; the arrangement comprises 
means for transmitting an authentication number to a 
local network; the arrangement comprises means for 
calculating an identification number for the subscriber; 
the arrangement comprises means for transmitting the 

30 identification number to an authentication server of the 
authentication operator that compares an identification 
number in its memory with the identification number 
transmitted from the local network; the arrangement 
comprises means for transmitting an authentication ap- 

35 proved or rejected message obtained as a result of the 
comparison to an access controller of the local network. 
[0007] Preferred embodiments of the invention are 
set forth in the dependent claims. 
[0008] The invention is based on the fact that an op- 

40 erator uses the network elements of another operator. 
[0009] The method and arrangement of the invention 
make it possible for a WLAN operator to provide an au- 
thentication service to a GSM or UMTS network. 



[0010] The invention will now be described in greater 
detail by means of preferred embodiments and with ref- 
erence to the attached drawings, in which 



Figure 1 shows an example of a telecommunica- 
tions system, 
Figure 2 is a flow chart, 

Figure 3 shows an example of an arrangement for 
55 performing authentication. 
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DESCRIPTION OF THE EMBODIMENTS 

[0011] With reference to Figure 1, the following de- 
scribes the GSM (Global System for Mobile communi- 
cations) radio system, the EDGE (Enhanced Data Rates 5 
for Global Evolution) system that is a radio system 
based on the GSM system with a higher data transmis- 
sion rate, and the UMTS (Universal Mobile Telecommu- 
nications System) radio system. For the sake of illustra- 
tion, Figure 1 is simplified and only shows the most im- 10 
portant parts of a radio system and the interfaces be- 
tween them. 

[0012] The main parts of a radio system are the core 
network (CN) 100, radio access network 130 and user 
equipment (UE) 170. The term UTRAN is derived from 15 
the words UMTS terrestrial radio access network, i.e. 
radio access network. The radio access network be- 
longs to the third generation and is implemented by 
wideband code division multiple access (WCDMA). Fig- 
ure 1 also shows a base station system 1 60 that belongs 20 
to the 2/2.5 generation and allocates radio resources to 
different users by time division multiple access (TDMA). 
[0013] The structure of the core network 100 corre- 
sponds to the structure of combined GSM and GPRS 
systems. 25 
[001 4] A mobile services switching centre (MSC) 1 02 
serves the base station system 160. The tasks of the 
mobile services switching centre typically include 
switching, paging, user equipment location registration, 
handover management and collecting subscriber ac- 30 
counting information. The number of mobile services 
switching centres may vary: a small network operator 
may only have one mobile services switching centre, but 
large core networks may have several. Figure 1 also 
shows a second mobile services switching centre 104, 35 
but its connections to other network elements are not 
shown to keep Figure 1 clear. 

[0015] Large core networks may have a separate 
gateway mobile services switching centre (GMSC) 1 06 
that takes care of the circuit-switched connections be- 40 
tween the core network 1 00 and external networks. The 
task of the gateway mobile services switching centre is 
to take care of the connections between the mobile serv- 
ices switching centres and external networks. An exter- 
nal network can be a public land mobile network 45 
(PLMN), a public switched telephone network (PSTN) 
or the Internet. 

[001 6] The core network typically also comprises oth- 
er parts, such as a home location register (HLR) con- 
taining a permanent subscriber register, a visitor loca- 50 
tion register (VLR) containing roaming information on 
user equipment 170 in the area of the mobile services 
switching centre 102, and if the radio system supports 
the GPRS system, also a PDP (packet data protocol) 
address. All parts of the core network are not shown in 55 
Figure 1 to keep it illustrative. 

[0017] A serving GPRS support node (SGSN) 108, in 
turn, serves the packet-switched side of the core net- 
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work. The main task of the serving GPRS support node 
108 is to transmit to and receive packets from user 
equipment 170 supporting packet-switched transmis- 
sion by utilising the base station system 1 60. The serv- 
ing GPRS support node 108 contains subscriber infor- 
mation and location information concerning the user 
equipment 170. 

[0018] A gateway GPRS support node (GGSN) 1 1 0 is 
the packet-switched side counterpart for the circuit- 
switched side gateway mobile services switching cen- 
tre, so it takes care of the traffic between the external 
networks and the radio network. 
[0019] The base station system 160 is made up of a 
base station controller (BSC) 166 and base transceiver 
stations (BTS) 1 62, 1 64. The base station controller 1 66 
controls the base transceiver station 162, 164. In prin- 
ciple, the aim is that devices implementing a radio path 
including their functions reside in the base transceiver 
station 1 62, 1 64, and control devices reside in the base 
station controller 166. The implementation method can 
naturally differ from this principle. 
[0020] The base station controller 1 66 generally takes 
care of the following tasks, for instance: management 
of base transceiver station 162, 164 radio resources, 
intercell handovers, frequency management, i.e. the al- 
location of frequencies to the base transceiver stations 
1 62, 1 64, management of frequency hopping sequenc- 
es, measurement of time delays on the uplink, imple- 
mentation of an interface for operation and mainte- 
nance, and power control management. 
[0021] The base transceiver station contains at least 
one transceiver that implements one carrier. In the GSM 
systems, one carrier usually comprises eight time slots, 
i.e. eight physical channels. One base transceiver sta- 
tion can serve one cell or several sectored cells. The 
diameter of a cell may vary from a few metres to dozens 
of kilometres. A base transceiver station is often also 
considered to contain a transcoder that converts be- 
tween the speech-coding format used in the radio sys- 
tem and the speech coding format used in the public 
telephone network. However, in practice, the transcoder 
usually physically resides in the mobile services switch- 
ing centre. The tasks of the base transceiver station in- 
clude timing advance calculation, uplink measure- 
ments, channel coding, encryption, decryption and fre- 
quency hopping. 

[0022] The radio access network 130 is made up of 
radio network subsystems 140, 150. Each radio network 
subsystem is made up of a radio network controller 
(RNC) 146, 156 and B nodes 142, 144, 152, 154. In- 
stead of the B node concept, the term base station is 
often also used. It can be said that in functionality, the 
radio network controller corresponds to the base station 
controller of the GSM system and the B node the base 
transceiver station of the GSM system. Solutions also 
exist, in which it is possible to implement both a TDMA 
interface and a WCDMA radio interface with the same 
device simultaneously. 
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[0023] The user equipment 170 comprises mobile 
equipment (ME) 172 and a subscriber identity module 
(SIM) or UMTS subscriber identity module (USIM) 1 74. 
The user equipment can contain one or more different 
subscriber identity modules depending on the number 
of networks with different standards the equipment is to 
operate. The user equipment contains at least one 
transceiver and an antenna, user interface and battery. 
There are many types of user equipment: car-installed 
or portable. The same features as in personal or porta- 
ble computers are also implemented in user equipment. 
[0024] Additional information on radio telecommuni- 
cations systems is found in the literature and standards 
of the field. 

[0025] Next, one preferred embodiment of a method, 
with which an operator can provide an authentication 
service to another operator, is described using the flow 
chart of Figure 2. A local network operator can have a 
WLAN network, for instance, and it buys GSM authen- 
tication services for its customers from a GSM operator. 
The operator, from which the authentication services are 
bought, is called an authentication operator herein. 
WLAN networks refer to wireless local area networks 
that can be implemented using different standards. The 
standard of the wireless local area network bears no sig- 
nificance to the invention, so it is not described in more 
detail herein. Additional information on WLAN networks 
is found in the literature and standards of the field. 
[0026] The execution of the method starts in block 
200. 

[0027] In block 202, a subscriber is provided with 
identification information that comprises information on 
the subscriber's network. The identification information 
can be IMSI (International Mobile Subscriber Identity) 
or a character string attached to it or a combination 
thereof. IMSI comprises at least a mobile country code 
(MCC), mobile network code (MNC) and mobile sub- 
scriber identification number (MSIN). The character 
string attached to IMSI can for instance be a realm char- 
acter string suitable for the purpose. Realm character 
strings are generally used in the Internet to group users 
for authentication and authorization. IMSI is typically 
stored in the subscriber identity module, i.e. SIM (GSM) 
or USIM (UMTS) card, for instance. The operator selling 
authentication services, i.e. in this case the GSM or 
UMTS operator, hands overthe SIM or USIM card to the 
local network operator. Identification information typical- 
ly indicates where the identification information is to be 
transmitted. 

[0028] It should be noted that the authentication op- 
erator, i.e. the operator selling authentication services, 
initializes the identity modules and the local network op- 
erator defines identification information pools or groups, 
for instance realms. The authentication operator can sell 
authentication services by means of identity modules 
and the local operator can define different subscribers 
by means of identification information pools or groups 
to the networks of different operators for authentication. 



[0029] In block 204, the IP (Internet protocol) address 
of the authentication operatorcorrespondingtothe iden- 
tification information is found for transmitting the identi- 
fication information and an authentication request to the 

5 authentication network. The identification information 
typically indicates where it should be transmitted. 
[0030] In block 206, the identification information and 
authentication request are transmitted to the IP address 
in question through an AAA server of the local network. 

10 An AAA server refers to a server that takes care of au- 
thentication, authorization and accounting. Examples of 
AAA servers are a RADIUS (Remote Authentication for 
Dial-In User Service) server and Diameter server. The 
identification information and authentication request 

15 can be combined into one term or transmitted as sepa- 
rate terms. The AAA server of the local network trans- 
mits the identification information on to the AAA server 
of the authentication operator. 

[0031 ] In block 208, information required in subscriber 
20 authentication is retrieved from the home location reg- 
ister; the information is usually a triplet that comprises 
a random number RAND, secret parameter Kc and 
SRES number. Generally, the authentication server per- 
forms the above action. The secret parameter Kc, which 
25 is related to encryption, is not actually needed in authen- 
tication. 

[0032] The information of all users is stored in the 
home location register (HLR). The home location regis- 
ter contains the following, for instance: subscriber's IM- 

30 si, mobile subscriber's International ISDN number 
MSISDN (Mobile Subscriber Integrated Services Digital 
Network), authentication key Ki, information on sub- 
scriber's supplementary services, and the location of the 
subscriber's current visitor location register (VLR). 

35 [0033] Next, in block 21 0, the authentication number, 
i.e. RAND, for instance, is transmitted through the Inter- 
net to the local network. 

[0034] In block 212, the subscriber's identity module 
(SIM or USIM card) calculates the identification number 

40 (SRES) by using an algorithm A3, authentication 
number RAND and secret authentication parameter Ki. 
[0035] In block 21 4, the identification number is trans- 
mitted to the authentication server of the authentication 
operator that compares the identification number re- 

45 ceived from HLR with the identification number calcu- 
lated in the subscriber's identity module. In block 216, 
an authentication approved or rejected message ob- 
tained as a result of the comparison is transmitted to the 
access controller of the local network. If the identifica- 

50 tion numbers are the same, an approval message is 
transmitted, and if they are different, the authentication 
request is rejected. 

[0036] The method ends in block 21 8. The method is 
typically implemented by software supported by the nec- 
55 essary hardware. 

[0037] The billing of the customer can be done by RA- 
DIUS Accounting Start and Accounting Stop messages 
created in the AAA server of the local network. The bill- 
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ing information can also be transmitted to a GSM net- 
work, for instance. In such a case, an accounting start 
command is transmitted to the AAA server of the local 
network after the subscriber has been granted access 
to the network, i.e. when a call or data transmission be- 
gins. The accounting start command can be transmitted 
on to the authentication server. An accounting stop com- 
mand is transmitted in the same manner after the call 
or data transmission ends. Billing is typically based on 
the time elapsed or data transmitted between the ac- 
counting start and stop commands. Another possible 
billing method is pricing the service according to the 
number of performed actions, for instance. 
[0038] Next, the arrangement for subscriber authen- 
tication and billing is described by means of the example 
in Figure 3. The example of Figure 3 shows part of a 
radio system 302 according to the GSM system and one 
possible local network 300. The network of the authen- 
tication operator can also be according to some other 
standard. The local network operator buys the neces- 
sary authentication services from another operator. The 
local network operator can have a WLAN network, for 
instance, and it buys GSM authentication services for 
its customers from a GSM operator. WLAN networks re- 
fer to wireless local area networks implemented by var- 
ious standards. The standard of the wireless local area 
network bears no significance to the invention, so it is 
not described in more detail herein. Additional informa- 
tion on WLAN networks is found in the literature and 
standards of the field. 

[0039] In Figure 3, the user equipment 1 70 wants au- 
thentication for a local network by using a subscriber 
identity module 1 74, and the equipmenttransmits an au- 
thentication request to the network. The authentication 
request is forwarded to an AAA server 304, which can 
be RADIUS, for instance, through an access controller 
308. The access controller 308 can be a separate device 
or it can be a functional part of another network element, 
such as a base transceiver station. The RADIUS client 
can reside in the access controller, base transceiver sta- 
tion or radio network controller. 

[0040] The access controller 308 is a gateway be- 
tween the Internet and the user equipment of a local net- 
work. Among otherthings, the access controller controls 
datacomingthrough and transmitted to the Internet. The 
access controller also collects billing information, such 
as used network time and amount of transmitted data. 
[0041] The subscriber is provided with identification 
information that indicates that the subscriber is a user 
of the local network. The identification information can 
be IMSI (International Mobile Subscriber Identity) or a 
character string attached to it or a combination thereof. 
IMSI comprises at least a mobile country code (MCC), 
mobile network code (MNC) and mobile subscriber 
identification number (MSIN). The character string at- 
tached to IMSI can for instance be a realm character 
string suitable for the purpose. Realm character strings 
are generally used in the Internet to group users for au- 



thentication and authorization. IMSI is typically stored in 
the subscriber identity module, i.e. SIM (GSM) or USIM 
(UMTS) card, for instance. The operator selling authen- 
tication services, i.e. in this case the GSM or UMTS op- 
5 erator, hands over the SIM or USIM card to the local 
network operator. Identification information typically in- 
dicates where the identification information is to be 
transmitted. 

[0042] The AAA server 304 finds the IP (Internet Pro- 

10 tocol) address of the authentication operator corre- 
sponding to the identification information and transmits 
the identification information and an authentication re- 
quest to the IP address in question. AAA server refers 
to a server that takes care of authentication, authoriza- 

*5 tion and accounting. Examples of AAA servers are the 
RADIUS (Remote Authentication for Dial-In User Serv- 
ice) server and Diameter server. The identification infor- 
mation and authentication request can be combined into 
one term or transmitted as separate terms. The identi- 

20 fication information is transmitted to an AAA server 314 
of the network for which authentication is requested. 
The AAA server of the local network comprises or is con- 
nected to a proxy server 306 that transmits traffic over 
the Internet 310. 

25 [0043] Between the AAA server 314 of the authenti- 
cation network and the Internet, there is a proxy server 
312 connected to the AAA server of the authentication 
network. The AAA server 314 of the authentication op- 
erator forwards the IMSI parameter to an authentication 

30 server 31 6. 

[0044] The authentication server 316 provides au- 
thentication services of the GSM system to other sys- 
tems. It provides SIM-based authentication and billing 
services to the access controller, which in this example 

35 belongs to the local network. 

[0045] The information required for subscriber au- 
thentication is retrieved from a home location register 
320; the information being a triplet comprising a random 
number RAND, secret parameter Kc and SRES number. 

40 [0046] Authentication is typically performed as fol- 
lows: the network provides the random number RAND 
to the subscriber, the user equipment calculates using 
a secret parameter Ki and an encryption algorithm A3 a 
new number SRES that is transmitted to the network. 

45 The network also calculates SRES and compares it with 
the one calculated by the user equipment. If the SRES 
numbers are the same, the subscriber is entitled to use 
the network. 

[0047] The triplet is returned to the authentication 
50 server 31 6 that transmits the RAND number through the 
AAA server 314 and proxy server 312 of the authenti- 
cation network to the Internet 310 and from there on 
through the proxy server 306 and the AAA server 304 
of the local network to the access controller 308. The 
55 access controller transmits the RAND number on to the 
user equipment 170, the identity module of which cal- 
culates the SRES number. 

[0048] The calculated SRES number is transmitted to 
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the authentication server 316 through the access con- 
troller 308, AAA servers 304, 314 and proxy servers 
306, 312. The authentication server compares the 
SRES numbers calculated in the GSM network (HLR) 
and user equipment with each other. On the basis of the 
comparison, the authentication server either approves 
or rejects the subscriber authentication and transmits a 
message accordingly to the access controller. 
[0049] The billing of the customer can be done by RA- 
DIUS Accounting Start and Accounting Stop messages 
created in the access controller308 of the local network. 
The billing information can also be transmitted to the 
GSM network, for instance. The messages are then 
transmitted to a GSM network through an Internet con- 
nection. The authentication server 31 6 can also gener- 
ate GSM billing information. 

[0050] If billing is done in the manner described 
above, the access controller 308 transmits an account- 
ing start command to the AAA server 304 of the local 
networkthrough the proxy server 306 afterthe subscrib- 
er has been granted access to the network, i.e. when a 
call or data transmission begins. The accounting start 
command is taken through the Internet 31 0 to the AAA 
server 312, 31 4 of the authentication network and from 
there on to the authentication server 31 6. An accounting 
stop command is transmitted in the same manner from 
one network element to another after the call or data 
transmission ends. Billing is typically based on the time 
elapsed or data transmitted between the accounting 
start and stop commands. Anotherpossiblebilling meth- 
od is pricing the service according to the number of per- 
formed actions, for instance. 

[0051] The arrangement is typically implemented in 
such amannerthatthe network elements have software 
to execute the required functions. The arrangement can 
also have memory elements for storing information. 
[0052] Even though the invention has been explained 
in the above with reference to an example in accordance 
with the accompanying drawings, it is apparent that the 
invention is not restricted to it but can be modified in 
many ways within the scope of the inventive idea dis- 
closed in the attached claims. 



Claims 

1. A method for subscriber authentication in a tele- 
communications system comprising a network of a 
local network operator, i.e. local network, and a net- 
work of an authentication operator, i.e. authentica- 
tion network, characterized by: 

(202) providing a subscriber with identification 
information that comprises information on the 
network of the subscriber, 
(204) finding the IP address of an authentica- 
tion operator corresponding to the identification 
information for transmitting the identification in- 



formation and an authentication request to an 
authentication network, 
(206) forwarding the identification information 
to the authentication network, 

5 (208) retrieving from a home location register 

of the authentication network the information 
required for subscriber authentication that com- 
prises an authentication number, 
(21 0) transmitting the authentication numberto 

10 the local network, 

(212) calculating an identification number by 
means of the authentication number in an iden- 
tity module of the subscriber, 
(214) transmitting the identification numberto 

15 an authentication server of the authentication 

operator's networkthat compares an identifica- 
tion number in its memory with the identification 
number calculated in the identity module of the 
subscriber, 

20 (216) transmitting an authentication approved 

or rejected message obtained as a result of the 
comparison to an access controller of the local 
network. 

25 2. A method as claimed in claim 1 , characterized in 

that the identification information is IMSI, a charac- 
ter string (realm) attached to IMSI or a combination 
thereof. 

30 3. a method as claimed in claim 1 , characterized in 

that the information required for authentication 
comprises a RAND number and an SRES number. 

4. A method as claimed in claim 1 , characterized in 

35 that the identity module is a SIM card or a USIM 
card. 

5. A method as claimed in claim 1 , characterized in 

that the AAA server of the authentication network 
40 is a RADIUS server. 



6. A method as claimed in claim 1 , characterized in 

that the AAA server of the authentication network 
is a Diameter server. 

45 

7. An arrangement for subscriber authentication in a 
telecommunications system comprising a network 
of a local network operator, i.e. local network, and 
a network of an authentication operator, i.e. authen- 

50 tication network, characterized in that 

the arrangement comprises means (304) for 
finding the IP address of an authentication operator 
corresponding to identification information fortrans- 
mitting the identification information and an authen- 
55 tication request to an authentication network; 

the arrangement comprises means (304, 306, 
310) for forwarding the identification information to 
the network of the authentication operator; 
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the arrangement comprises means (316, 320) 
for retrieving information required for subscriber au- 
thentication and comprising an authentication 
number from the home location register of the au- 
thentication network; 

the arrangement comprises means (310,312, 
314, 316) for transmitting the authentication 
number to the local network; 

the arrangement comprises means (170) for 
calculating an identification number for the sub- 
scriber by means of the authentication number; 

the arrangement comprises means (304, 306, 
308, 310, 312, 314) for transmitting the identifica- 
tion number to the authentication server of the au- 
thentication operator's network that compares an 
identification number in its memory with the identi- 
fication number calculated in the subscriber identity 
module; 

the arrangement comprises means (304, 306, 
31 0, 31 2, 31 4, 31 6) for transmitting an authentica- 
tion approved or rejected message obtained as a 
result of the comparison to an access controller of 
the local network. 

8. An arrangement as claimed in claim 9, character- 25 
ized in that the identification information is IMSI, a 
character string (realm) attached to IMSI or a com- 
bination thereof. 

9. An arrangement as claimed in claim 9, character- 30 
ized in thatthe information required for authentica- 
tion comprises a RAND number and an SRES prod- 
uct. 

10. An arrangement as claimed in claim 9, character- 35 
ized in that the means for calculating the subscrib- 
er's identification number in the user equipment is 
an identity module. 

11. An arrangement as claimed in claim 9, character- 40 
ized in that the AAA server of the authentication 
network is a RADIUS server. 

12. An arrangement as claimed in claim 9, character- 
ized in that the AAA server of the authentication 45 
network is a Diameter server. 
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